Commit:     d496f94d22d1491ffb25f4000e85f7a4ecf7f2c4
Parent:     3ace426f9575dd112252d72baaee4554fcb2e450
Author:     Alan Cox <[EMAIL PROTECTED]>
AuthorDate: Wed Nov 7 23:58:10 2007 +0000
Committer:  James Bottomley <[EMAIL PROTECTED]>
CommitDate: Wed Jan 23 11:29:27 2008 -0600

    [SCSI] aacraid: fix security weakness
    Actually there are several but one is trivially fixed
    1.  FSACTL_GET_NEXT_ADAPTER_FIB ioctl does not lock dev->fib_list
    but needs to
    3.  It is possible to construct an attack via the SRB ioctls where
    the user obtains assorted elevated privileges. Various approaches are
    possible, the trivial ones being things like writing to the raw media
    via scsi commands and the swap image of other executing programs with
    higher privileges.
    So the ioctls should be CAP_SYS_RAWIO - at least all the FIB manipulating
    ones. This is a bandaid fix for #3 but probably the ioctls should grow
    their own capable checks. The other two bugs need someone competent in that
    driver to fix them.
    Signed-off-by: Alan Cox <[EMAIL PROTECTED]>
    Signed-off-by: Mark Salyzyn <[EMAIL PROTECTED]>
    Signed-off-by: James Bottomley <[EMAIL PROTECTED]>
 drivers/scsi/aacraid/linit.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c
index 0523cc6..143e4c1 100644
--- a/drivers/scsi/aacraid/linit.c
+++ b/drivers/scsi/aacraid/linit.c
@@ -517,6 +517,8 @@ static struct device_attribute *aac_dev_attrs[] = {
 static int aac_ioctl(struct scsi_device *sdev, int cmd, void __user * arg)
        struct aac_dev *dev = (struct aac_dev *)sdev->host->hostdata;
+       if (!capable(CAP_SYS_RAWIO))
+               return -EPERM;
        return aac_do_ioctl(dev, cmd, arg);
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at

Reply via email to